Using the D-Bus Interface to Firewalld

Firewalld, a dynamic zone-based firewall daemon, has been under developmwnt since circa 2009, with the latest version – firewalld 0.6.3 – released on Oct 11, 2018. The main developer is Thomas Wörner who currently works for Red Hat. It because the default firewall mechanism in Fedora 18 and, subsequently, in RHEL7 and CentOS 7.

Firewalld has many advantages over the older iptables mechanism. Of note, it solved the problem whereby iptables required a firewall restart at each change thus breaking any stateful connections. It also provides a rich well-thought-out range of D-Bus methods, signals and properties.

This post assumes you are familiar with firewalld and D-Bus concepts and operation. I focus instead on how to use the rich (as in extensive) firewalld D-Bus interface to retrieve information or change settings.

Firewalld is configured as a systemd D-Bus service. Note the “Type=dbus” directive below.

The above output lists all the methods, singals and properties available via the firewalld D-Bus interface. This is the standard D-Bus introspection output format based on the D-Bus DTD. All D-Bus services are required to implement the org.freedesktop.DBus.Introspectable.Introspect method.

With this extensive firewalld D-Bus interface, it is simple for services, applications and users to manage firewall settings. The interface is used by all the firewall configuration tools such as firewall-cmd, firewall-config and firewall-applet.

Turning now to our first example. Consider the following simple firewall-cmd which retrieves and prints the default zone, i.e. public.

# firewall-cmd --get-default-zone
public
#

Here is how to retrieve the same information using the firewalld D-Bus interface and dbus-send:

The dbus-send command is used to send a message to a D-Bus message bus and display the result of that message. There are two well-known message buses: the systemwide message bus (option –system) and the per-user-login-session message (option –session). With firewalld, we use the system bus to talk to it’s interface. Also, nearly all uses of dbus-send must provide the –dest argument which is the name of an interface (connection) on the bus to send the message to. In our case, it is org.fedoraproject.FirewallD1 The object path and the name of the message to send must always be specified. Following arguments, if any, are the message contents (message arguments). These are given as type-specified values.

Here we use both firewall-cmd and dbus-send to retrieve a list of zones:

Well, time to end this post. The above examples should be sufficient to enable you to gain an understanding of how use the D-Bus interface to firewallld. Whilst I used the dbus-send utility, with slight sytax modifications the examples will also work with the Qt qdbus utility.

All the examples provided above work on RHEL 7.2 but there is no guarantee that they will work on later releases of RHEL, or downstream distrubutions, as firewalld is still in fairly active development.